diff --git a/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf b/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
index e15162d5..9b61245d 100644
--- a/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
+++ b/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
@@ -24,6 +24,12 @@ filter {
       field => "[tmp][records]"
       target => "az"
     }
+    mutate {
+      replace => { "message" => "%{az}" }
+    }
+    json_encode {
+      source => "message"
+    }
   } else {
     mutate {
       rename => { "tmp" => "az"}